diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index b54fd05..0447cf2 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -35,10 +35,8 @@ let subdomains = let - getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); - getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); + getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); - genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); in lib.attrsets.mergeAttrsList [ rec { @@ -56,9 +54,7 @@ let } (genCNAMEs "nuc") - (genCNAMEsNginx "nuc") (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) - (builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ]) ]; }); in diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 5f950c3..c6f8ffc 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -8,6 +8,7 @@ ./modules/networks ./modules/adguard ./modules/backup + # ./modules/keycloak ./modules/jellyfin ./modules/cache ./modules/matrix @@ -15,8 +16,7 @@ ./modules/seafile ./modules/torrent ./modules/vaultwarden - # ./modules/nginx - ./modules/caddy + ./modules/nginx ./modules/indexing ]; diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix index 6354bec..6001fb9 100644 --- a/hosts/nuc/modules/authentik/default.nix +++ b/hosts/nuc/modules/authentik/default.nix @@ -9,13 +9,10 @@ in services.authentik = { enable = true; environmentFile = config.age.secrets.authentik.path; - # nginx = { - # enable = true; - # enableACME = true; - # host = domain; - # }; + nginx = { + enable = true; + enableACME = true; + host = domain; + }; }; - services.caddy.virtualHosts."${domain}".extraConfig = '' - reverse_proxy localhost:9000 - ''; } diff --git a/hosts/nuc/modules/cache/default.nix b/hosts/nuc/modules/cache/default.nix index 12e47b3..7d50632 100644 --- a/hosts/nuc/modules/cache/default.nix +++ b/hosts/nuc/modules/cache/default.nix @@ -10,7 +10,9 @@ in enable = true; secretKeyFile = config.age.secrets.cache.path; }; - services.caddy.virtualHosts."${domain}".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.nix-serve.port} - ''; + services.nginx.virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}"; + }; + }; } diff --git a/hosts/nuc/modules/caddy/default.nix b/hosts/nuc/modules/caddy/default.nix deleted file mode 100644 index b940576..0000000 --- a/hosts/nuc/modules/caddy/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: -{ - services.caddy = { - enable = true; - email = "ca@${config.networking.domain}"; - logFormat = "format console"; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; -} diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix new file mode 100644 index 0000000..0ace24b --- /dev/null +++ b/hosts/nuc/modules/keycloak/default.nix @@ -0,0 +1,43 @@ +{ config, ... }: +let + domain = "auth.${config.networking.domain}"; +in +{ + age.secrets.keycloak = { + file = ../../../../secrets/nuc/keycloak/db.age; + }; + services.keycloak = { + enable = true; + settings = { + http-port = 8084; + https-port = 19000; + hostname = domain; + # proxy-headers = "forwarded"; + proxy = "edge"; + }; + database = { + # host = "/var/run/postgresql/.s.PGSQL.5432"; + # useSSL = false; + # createLocally = false; + passwordFile = config.age.secrets.keycloak.path; + }; + initialAdminPassword = "plschangeme"; + }; + # services.postgresql = { + # enable = true; + # ensureUsers = [ + # { + # name = "keycloak"; + # ensureDBOwnership = true; + # } + # ]; + # ensureDatabases = [ "keycloak" ]; + # }; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}"; + }; + }; +} diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 0b8d08e..3f7c639 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -32,7 +32,6 @@ in matrix-synapse = { enable = true; configureRedisLocally = true; - enableRegistrationScript = false; extraConfigFiles = [ config.age.secrets."matrix/shared".path ]; log = { root.level = "WARNING"; @@ -42,9 +41,10 @@ in server_name = config.networking.domain; listeners = [{ - path = "/run/matrix-synapse/server.sock"; - mode = "666"; + port = 8008; + bind_addresses = [ "::1" ]; type = "http"; + tls = false; x_forwarded = true; resources = [{ names = [ "client" "federation" ]; @@ -57,24 +57,29 @@ in enable = true; settings = { SYNCV3_SERVER = "https://${domain}"; - SYNCV3_BINDADDR = "/run/matrix-sliding-sync/server.sock"; }; environmentFile = config.age.secrets."matrix/sync".path; }; - caddy = { + nginx = { + recommendedProxySettings = true; virtualHosts = { # synapse - "${domain}".extraConfig = '' - reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock - reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock - reverse_proxy unix//run/matrix-synapse/server.sock - ''; + "${domain}" = { + # locations."/".extraConfig = "return 404;"; + + # # proxy to synapse + # locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/".proxyPass = "http://[::1]:8008"; + locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://localhost:8009"; + # locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + # element - "${domainClient}".extraConfig = '' - root '${pkgs.element-web.override { + "${domainClient}" = { + root = pkgs.element-web.override { conf = { default_server_config = { inherit (clientConfig) "m.homeserver"; @@ -82,23 +87,13 @@ in }; disable_3pid_login = true; }; - }}' - ''; + }; + }; }; }; }; - systemd.services.matrix-synapse = { - after = [ "matrix-synapse-pgsetup.service" ]; - serviceConfig = { - RuntimeDirectory = "matrix-synapse"; - }; - }; - systemd.services.matrix-sliding-sync = { - serviceConfig = { - RuntimeDirectory = "matrix-sliding-sync"; - }; - }; + systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ]; systemd.services.matrix-synapse-pgsetup = { description = "Prepare Synapse postgres database"; diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix index d231495..6653c0c 100644 --- a/hosts/nuc/modules/seafile/default.nix +++ b/hosts/nuc/modules/seafile/default.nix @@ -31,16 +31,21 @@ in } ''; }; - services.caddy.virtualHosts."${domain}".extraConfig = '' - redir /accounts/login /oauth/login - reverse_proxy unix//run/seahub/gunicorn.sock - route /media/* { - root '${pkgs.seahub}' - } - - route /seafhttp/* { - uri strip_prefix /seafhttp - reverse_proxy 127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port} - } - ''; + services.nginx.virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://unix:/run/seahub/gunicorn.sock"; + }; + locations."/seafhttp" = { + proxyPass = "http://127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}"; + extraConfig = '' + rewrite ^/seafhttp(.*)$ $1 break; + ''; + }; + locations."/media" = { + root = pkgs.seahub; + }; + locations."/accounts/login" = { + return = "301 /oauth/login"; + }; + }; } diff --git a/hosts/nuc/modules/vaultwarden/default.nix b/hosts/nuc/modules/vaultwarden/default.nix index 5a7e07f..fe0ac59 100644 --- a/hosts/nuc/modules/vaultwarden/default.nix +++ b/hosts/nuc/modules/vaultwarden/default.nix @@ -29,7 +29,9 @@ in ]; ensureDatabases = [ "vaultwarden" ]; }; - services.caddy.virtualHosts."${domain}".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.vaultwarden.config.rocketPort} - ''; + services.nginx.virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; + }; + }; } diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index b21cdfb..555fe84 100644 Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ diff --git a/shared/zsh.nix b/shared/zsh.nix index d62b914..08e66c3 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -9,7 +9,6 @@ trash-cli nix-output-monitor iperf - jq ]; users.defaultUserShell = pkgs.zsh; programs.fzf = {